Encrypt the password in Openssl Command





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}







0















Currently, I am supplying the password in plaintext format as below:



openssl genrsa -aes128 -passout pass:foobar 3072



Where foobar is the password supplied in plaintext format .



I want to supply the password using some encrypted format or any other way such that its not easily readable .










share|improve this question

























  • As Jay correctly says, you can't encrypt the passphrase. There are several ways of having it not readable, depending on exactly which kind(s) of readable you care about, but they are described in the man pages which you read before asking, and obviously they were unsuitable for some reason(s) you don't explain, making it impossible to try to help.

    – dave_thompson_085
    Nov 24 '18 at 23:52




















0















Currently, I am supplying the password in plaintext format as below:



openssl genrsa -aes128 -passout pass:foobar 3072



Where foobar is the password supplied in plaintext format .



I want to supply the password using some encrypted format or any other way such that its not easily readable .










share|improve this question

























  • As Jay correctly says, you can't encrypt the passphrase. There are several ways of having it not readable, depending on exactly which kind(s) of readable you care about, but they are described in the man pages which you read before asking, and obviously they were unsuitable for some reason(s) you don't explain, making it impossible to try to help.

    – dave_thompson_085
    Nov 24 '18 at 23:52
















0












0








0








Currently, I am supplying the password in plaintext format as below:



openssl genrsa -aes128 -passout pass:foobar 3072



Where foobar is the password supplied in plaintext format .



I want to supply the password using some encrypted format or any other way such that its not easily readable .










share|improve this question
















Currently, I am supplying the password in plaintext format as below:



openssl genrsa -aes128 -passout pass:foobar 3072



Where foobar is the password supplied in plaintext format .



I want to supply the password using some encrypted format or any other way such that its not easily readable .







ssl openssl ssl-certificate






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 24 '18 at 17:54









Jay

15.4k2166122




15.4k2166122










asked Nov 24 '18 at 14:42









soumyasoumya

72




72













  • As Jay correctly says, you can't encrypt the passphrase. There are several ways of having it not readable, depending on exactly which kind(s) of readable you care about, but they are described in the man pages which you read before asking, and obviously they were unsuitable for some reason(s) you don't explain, making it impossible to try to help.

    – dave_thompson_085
    Nov 24 '18 at 23:52





















  • As Jay correctly says, you can't encrypt the passphrase. There are several ways of having it not readable, depending on exactly which kind(s) of readable you care about, but they are described in the man pages which you read before asking, and obviously they were unsuitable for some reason(s) you don't explain, making it impossible to try to help.

    – dave_thompson_085
    Nov 24 '18 at 23:52



















As Jay correctly says, you can't encrypt the passphrase. There are several ways of having it not readable, depending on exactly which kind(s) of readable you care about, but they are described in the man pages which you read before asking, and obviously they were unsuitable for some reason(s) you don't explain, making it impossible to try to help.

– dave_thompson_085
Nov 24 '18 at 23:52







As Jay correctly says, you can't encrypt the passphrase. There are several ways of having it not readable, depending on exactly which kind(s) of readable you care about, but they are described in the man pages which you read before asking, and obviously they were unsuitable for some reason(s) you don't explain, making it impossible to try to help.

– dave_thompson_085
Nov 24 '18 at 23:52














2 Answers
2






active

oldest

votes


















1














If you indeed did supply the password in an encrypted format as you are requesting, how will provide the encryption key which was used to encrypt the said password to OpenSSL so that OpenSSL can decrypt it and use the correct password?



The password which you are providing to OpenSSL, I assume, is used by OpenSSL to encrypt the RSA Private Key which will be generated. If this is indeed the password which you want OpenSSL to use, then it has to be given in plaintext.



If you are worried that it might be seen by someone, you need to ensure that it is entered in a secure way. But, "encrypted password" is not the solution, as you might end up with a complication of protecting the encryption key for the password itself.






share|improve this answer































    0














    Usually, the password should be passed via openssl prompt (i.e.: removing the -passout pass:foobar argument).



    If you're passing the password via command line because you have to use it in another part of the script, you can use the example below:



    echo -n Password: 
    read -s PASS
    openssl genrsa -out keypair.pem -aes128 -passout pass:${PASS}
    opnessl req -new -key keypair.pem -passin pass:${PASS}


    However, if you really need to generate keys without user interaction, you can use the example bellow, but I wouldn't recommend it for any production environment.



    Create a script (e.g.: auto_key_gen.sh) containing the code bellow:



    PASS=`openssl rand -hex 16`
    openssl genrsa -out auto_keypair.pem -aes128 -passout pass:${PASS}
    echo -n ${PASS} | openssl rsautl -encrypt -pubin -inkey $1 -out encrypted_pass.bin


    Generate a personal keypair and extract the public key:



    openssl genrsa -out mykeypair.pem -aes128
    openssl rsa -in mykeypair.pem -out mypubkey.pem -pubout


    Keep the personal keypair somewhere safe. The personal public key, you use to run the script:



    chmod +x auto_key_gen.sh
    ./auto_key_gen.sh mypubkey.pem


    The script generates a random password and uses it to encrypt the generated key pair (auto_keypair.pem). The password is encrypted with your personal public key and saved in a file (encrypted_pass.bin).



    The script can keep the password in "memory" to use with other openssl commands.



    You can retrieve the encrypted password using your personal keypair:



    openssl rsautl -decrypt -inkey mykeypair.pem -in encrypted_pass.bin -out decrypted_pass.hex


    Both the script and the public key must be protected against unauthorized modification.






    share|improve this answer


























      Your Answer






      StackExchange.ifUsing("editor", function () {
      StackExchange.using("externalEditor", function () {
      StackExchange.using("snippets", function () {
      StackExchange.snippets.init();
      });
      });
      }, "code-snippets");

      StackExchange.ready(function() {
      var channelOptions = {
      tags: "".split(" "),
      id: "1"
      };
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function() {
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled) {
      StackExchange.using("snippets", function() {
      createEditor();
      });
      }
      else {
      createEditor();
      }
      });

      function createEditor() {
      StackExchange.prepareEditor({
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: true,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: 10,
      bindNavPrevention: true,
      postfix: "",
      imageUploader: {
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      },
      onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      });


      }
      });














      draft saved

      draft discarded


















      StackExchange.ready(
      function () {
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53459282%2fencrypt-the-password-in-openssl-command%23new-answer', 'question_page');
      }
      );

      Post as a guest















      Required, but never shown

























      2 Answers
      2






      active

      oldest

      votes








      2 Answers
      2






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      1














      If you indeed did supply the password in an encrypted format as you are requesting, how will provide the encryption key which was used to encrypt the said password to OpenSSL so that OpenSSL can decrypt it and use the correct password?



      The password which you are providing to OpenSSL, I assume, is used by OpenSSL to encrypt the RSA Private Key which will be generated. If this is indeed the password which you want OpenSSL to use, then it has to be given in plaintext.



      If you are worried that it might be seen by someone, you need to ensure that it is entered in a secure way. But, "encrypted password" is not the solution, as you might end up with a complication of protecting the encryption key for the password itself.






      share|improve this answer




























        1














        If you indeed did supply the password in an encrypted format as you are requesting, how will provide the encryption key which was used to encrypt the said password to OpenSSL so that OpenSSL can decrypt it and use the correct password?



        The password which you are providing to OpenSSL, I assume, is used by OpenSSL to encrypt the RSA Private Key which will be generated. If this is indeed the password which you want OpenSSL to use, then it has to be given in plaintext.



        If you are worried that it might be seen by someone, you need to ensure that it is entered in a secure way. But, "encrypted password" is not the solution, as you might end up with a complication of protecting the encryption key for the password itself.






        share|improve this answer


























          1












          1








          1







          If you indeed did supply the password in an encrypted format as you are requesting, how will provide the encryption key which was used to encrypt the said password to OpenSSL so that OpenSSL can decrypt it and use the correct password?



          The password which you are providing to OpenSSL, I assume, is used by OpenSSL to encrypt the RSA Private Key which will be generated. If this is indeed the password which you want OpenSSL to use, then it has to be given in plaintext.



          If you are worried that it might be seen by someone, you need to ensure that it is entered in a secure way. But, "encrypted password" is not the solution, as you might end up with a complication of protecting the encryption key for the password itself.






          share|improve this answer













          If you indeed did supply the password in an encrypted format as you are requesting, how will provide the encryption key which was used to encrypt the said password to OpenSSL so that OpenSSL can decrypt it and use the correct password?



          The password which you are providing to OpenSSL, I assume, is used by OpenSSL to encrypt the RSA Private Key which will be generated. If this is indeed the password which you want OpenSSL to use, then it has to be given in plaintext.



          If you are worried that it might be seen by someone, you need to ensure that it is entered in a secure way. But, "encrypted password" is not the solution, as you might end up with a complication of protecting the encryption key for the password itself.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Nov 24 '18 at 18:05









          JayJay

          15.4k2166122




          15.4k2166122

























              0














              Usually, the password should be passed via openssl prompt (i.e.: removing the -passout pass:foobar argument).



              If you're passing the password via command line because you have to use it in another part of the script, you can use the example below:



              echo -n Password: 
              read -s PASS
              openssl genrsa -out keypair.pem -aes128 -passout pass:${PASS}
              opnessl req -new -key keypair.pem -passin pass:${PASS}


              However, if you really need to generate keys without user interaction, you can use the example bellow, but I wouldn't recommend it for any production environment.



              Create a script (e.g.: auto_key_gen.sh) containing the code bellow:



              PASS=`openssl rand -hex 16`
              openssl genrsa -out auto_keypair.pem -aes128 -passout pass:${PASS}
              echo -n ${PASS} | openssl rsautl -encrypt -pubin -inkey $1 -out encrypted_pass.bin


              Generate a personal keypair and extract the public key:



              openssl genrsa -out mykeypair.pem -aes128
              openssl rsa -in mykeypair.pem -out mypubkey.pem -pubout


              Keep the personal keypair somewhere safe. The personal public key, you use to run the script:



              chmod +x auto_key_gen.sh
              ./auto_key_gen.sh mypubkey.pem


              The script generates a random password and uses it to encrypt the generated key pair (auto_keypair.pem). The password is encrypted with your personal public key and saved in a file (encrypted_pass.bin).



              The script can keep the password in "memory" to use with other openssl commands.



              You can retrieve the encrypted password using your personal keypair:



              openssl rsautl -decrypt -inkey mykeypair.pem -in encrypted_pass.bin -out decrypted_pass.hex


              Both the script and the public key must be protected against unauthorized modification.






              share|improve this answer






























                0














                Usually, the password should be passed via openssl prompt (i.e.: removing the -passout pass:foobar argument).



                If you're passing the password via command line because you have to use it in another part of the script, you can use the example below:



                echo -n Password: 
                read -s PASS
                openssl genrsa -out keypair.pem -aes128 -passout pass:${PASS}
                opnessl req -new -key keypair.pem -passin pass:${PASS}


                However, if you really need to generate keys without user interaction, you can use the example bellow, but I wouldn't recommend it for any production environment.



                Create a script (e.g.: auto_key_gen.sh) containing the code bellow:



                PASS=`openssl rand -hex 16`
                openssl genrsa -out auto_keypair.pem -aes128 -passout pass:${PASS}
                echo -n ${PASS} | openssl rsautl -encrypt -pubin -inkey $1 -out encrypted_pass.bin


                Generate a personal keypair and extract the public key:



                openssl genrsa -out mykeypair.pem -aes128
                openssl rsa -in mykeypair.pem -out mypubkey.pem -pubout


                Keep the personal keypair somewhere safe. The personal public key, you use to run the script:



                chmod +x auto_key_gen.sh
                ./auto_key_gen.sh mypubkey.pem


                The script generates a random password and uses it to encrypt the generated key pair (auto_keypair.pem). The password is encrypted with your personal public key and saved in a file (encrypted_pass.bin).



                The script can keep the password in "memory" to use with other openssl commands.



                You can retrieve the encrypted password using your personal keypair:



                openssl rsautl -decrypt -inkey mykeypair.pem -in encrypted_pass.bin -out decrypted_pass.hex


                Both the script and the public key must be protected against unauthorized modification.






                share|improve this answer




























                  0












                  0








                  0







                  Usually, the password should be passed via openssl prompt (i.e.: removing the -passout pass:foobar argument).



                  If you're passing the password via command line because you have to use it in another part of the script, you can use the example below:



                  echo -n Password: 
                  read -s PASS
                  openssl genrsa -out keypair.pem -aes128 -passout pass:${PASS}
                  opnessl req -new -key keypair.pem -passin pass:${PASS}


                  However, if you really need to generate keys without user interaction, you can use the example bellow, but I wouldn't recommend it for any production environment.



                  Create a script (e.g.: auto_key_gen.sh) containing the code bellow:



                  PASS=`openssl rand -hex 16`
                  openssl genrsa -out auto_keypair.pem -aes128 -passout pass:${PASS}
                  echo -n ${PASS} | openssl rsautl -encrypt -pubin -inkey $1 -out encrypted_pass.bin


                  Generate a personal keypair and extract the public key:



                  openssl genrsa -out mykeypair.pem -aes128
                  openssl rsa -in mykeypair.pem -out mypubkey.pem -pubout


                  Keep the personal keypair somewhere safe. The personal public key, you use to run the script:



                  chmod +x auto_key_gen.sh
                  ./auto_key_gen.sh mypubkey.pem


                  The script generates a random password and uses it to encrypt the generated key pair (auto_keypair.pem). The password is encrypted with your personal public key and saved in a file (encrypted_pass.bin).



                  The script can keep the password in "memory" to use with other openssl commands.



                  You can retrieve the encrypted password using your personal keypair:



                  openssl rsautl -decrypt -inkey mykeypair.pem -in encrypted_pass.bin -out decrypted_pass.hex


                  Both the script and the public key must be protected against unauthorized modification.






                  share|improve this answer















                  Usually, the password should be passed via openssl prompt (i.e.: removing the -passout pass:foobar argument).



                  If you're passing the password via command line because you have to use it in another part of the script, you can use the example below:



                  echo -n Password: 
                  read -s PASS
                  openssl genrsa -out keypair.pem -aes128 -passout pass:${PASS}
                  opnessl req -new -key keypair.pem -passin pass:${PASS}


                  However, if you really need to generate keys without user interaction, you can use the example bellow, but I wouldn't recommend it for any production environment.



                  Create a script (e.g.: auto_key_gen.sh) containing the code bellow:



                  PASS=`openssl rand -hex 16`
                  openssl genrsa -out auto_keypair.pem -aes128 -passout pass:${PASS}
                  echo -n ${PASS} | openssl rsautl -encrypt -pubin -inkey $1 -out encrypted_pass.bin


                  Generate a personal keypair and extract the public key:



                  openssl genrsa -out mykeypair.pem -aes128
                  openssl rsa -in mykeypair.pem -out mypubkey.pem -pubout


                  Keep the personal keypair somewhere safe. The personal public key, you use to run the script:



                  chmod +x auto_key_gen.sh
                  ./auto_key_gen.sh mypubkey.pem


                  The script generates a random password and uses it to encrypt the generated key pair (auto_keypair.pem). The password is encrypted with your personal public key and saved in a file (encrypted_pass.bin).



                  The script can keep the password in "memory" to use with other openssl commands.



                  You can retrieve the encrypted password using your personal keypair:



                  openssl rsautl -decrypt -inkey mykeypair.pem -in encrypted_pass.bin -out decrypted_pass.hex


                  Both the script and the public key must be protected against unauthorized modification.







                  share|improve this answer














                  share|improve this answer



                  share|improve this answer








                  edited Nov 25 '18 at 0:14

























                  answered Nov 24 '18 at 23:16









                  Lucas MartinsLucas Martins

                  586




                  586






























                      draft saved

                      draft discarded




















































                      Thanks for contributing an answer to Stack Overflow!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function () {
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53459282%2fencrypt-the-password-in-openssl-command%23new-answer', 'question_page');
                      }
                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      這個網誌中的熱門文章

                      Xamarin.form Move up view when keyboard appear

                      Post-Redirect-Get with Spring WebFlux and Thymeleaf

                      Anylogic : not able to use stopDelay()